Council of Europe website at coe.int/dataprotection, and on the European Court of Human Rights website under the Case-Law menu at: echr.coe.int.

The Council of Europe (CoE) and the European Court of Human Rights (ECtHR) take

European Union Agency for Fundamental Rights (FRA)

Updates will become available in future on the FRA website at: fra.europa.eu,

European law relating to asylum, borders and immigration.

the protection of personal data. Europe enjoys one of the most protective systems in this sphere, which is based on Council of Europe Convention 108, European Union (EU) instruments, as well as the case law of the European Court of Human Rights (ECtHR) and of the Court of Justice of the European Union (CJEU).

data protection rules in European Union and Council of Europe member states

designed for non-specialist legal professionals, judges, national data protection authorities and other persons working in the field of data protection.

Charter of Fundamental Rights of the EU became legally binding, and with this the right to the protection of personal data was elevated to the status of a separate fundamental right.

CCTV Closed circuit television CETS Council of Europe Treaty Series Charter Charter of Fundamental Rights of the European Union CIS Customs information system CJEU Court of Justice of the European Union (prior to December 2009, it was called the European Court of Justice, ECJ) CoE Council of Europe Convention 108 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Council of Europe) CRM Customer relations management C-SIS Central Schengen Information System EAW European Arrest Warrant EC European Community ECHR European Convention on Human Rights ECtHR European Court of Human Rights EDPS European Data Protection Supervisor EEA European Economic Area EFTA European Free Trade Association ENISA European Network and Information Security Agency ENU Europol National Unit ESMA European Securities and Markets Authority eTEN Trans-European Telecommunication Networks EU European Union EuroPriSe European Privacy Seal eu-LISA EU Agency for Large-scale IT Systems 10 FRA European Union Agency for Fundamental Rights GPS Global positioning system JSB Joint Supervisory Body NGO Non-governmental organisation N-SIS National Schengen Information System OECD Organisation for Economic Co-operation and Development PIN Personal identification number PNR Passenger name record SEPA Single Euro Payments Area SIS Schengen Information System SWIFT Society for Worldwide Interbank Financial Telecommunication TEU Treaty on European Union TFEU Treaty on the Functioning of the European Union UDHR Universal Declaration of Human Rights UN United Nations VIS Visa Information System 11

data protection; it is intended for lawyers, judges or other practitioners as well as those working for other bodies, including non-governmental organisations (NGOs), who may be confronted with legal questions relating to data protection.

Automatic Processing of Personal Data

the Charter of Fundamental Rights of the European Union, as interpreted in the case law of the Court of Justice of the European Union (CJEU, otherwise referred to, before 2009, as the European Court of Justice (ECJ)). The case law described or cited in this handbook provides examples of an important body of both ECtHR and CJEU case law.

Convention 108 applies to all data processing carried out by both the private and public sector, such as data processing by the judiciary and law enforcement authorities. It protects the individual against abuses, which may accompany the collection and processing of personal data, and seeks, at the same time, to regulate the transborder flow of personal data. As regards the collection and processing of personal data, the principles laid down in the convention concern, in particular, fair and lawful collection and automatic processing of data, stored for specified legitimate purposes and not for use for ends incompatible with these purposes nor kept for longer than is necessary.

In addition to providing guarantees on the collection and processing of personal data, it outlaws, in the absence of proper legal safeguards, the processing of ‘sensitive ’ data, such as on a person’s race, politics, health, religion, sexual life or criminal record.

The convention also enshrines the individual’s right to know that information is stored on him or her and, if necessary, to have it corrected.

Treaty on European Union (TEU) and the Treaty on the Functioning of the European Union (TFEU), have been approved by all EU Member States and are also referred to as ‘primary EU law’.

free flow of data, which could not be realised unless the Member States could rely on a uniform high level of data protection.

the EU Member States have only limited freedom to manoeuvre when implementing the directive.

Outside its scope of application are, most importantly, matters of police and criminal justice cooperation.

achieve the necessary clarity in balancing other legitimate interests.

To grant protection to individuals, it brought fundamental rights into the so-called general principles of European law.

The rights described in the Charter are divided into six sections: dignity, freedoms, equality, solidarity, citizens’ rights and justice.

In January 2012, the European Commission proposed a data protection reform package, stating that the current rules on data protection needed to be modernised in light of rapid technological developments and globalisation.

The reform package consists of a proposal for a General Data Protection Regulation, 21 meant to replace the Data Protection Directive, as well as a new General Data Protection Directive 22 which shall provide for data protection in the areas of police and judicial cooperation in criminal matters.

purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (General Data Protection Directive),

One of the rights likely to come into conflict with the right to data protection is the right to freedom of expression.

This right includes the “freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers”.

Case law of the European Court of Human Rights concerning the protection of personal data, DP (2013) Case law, available at: www.coe.int/t/dghl/standardsetting/dataprotection/Judgments/DP 2013 Case Law_Eng_ FINAL.pdf.

in order to achieve a balance between the two fundamental rights, the derogations and limitations of the right to data protection must apply only insofar as is strictly necessary. In those circumstances, the Court considered that activities such as those carried out by Markkinapörssi and Satamedia concerning data from documents which are in the public domain under national legislation, may be classified as ‘journalistic activities’ if their object is the disclosure to the public of information,

Constitutional Court

European Data Protection Supervisor (EDPS)

1.2.3. Freedom of the arts and sciences Another right to balance against the right to respect for private life and to data protection is the freedom of the arts and sciences, explicitly protected under Article 13 of the Charter.

ECtHR, Vereinigung bildender Künstler v. Austria, No. 68345/01, 25 January 2007; see especially paras. 26 and 34. Context and background of European data protection law 31 section of the population. Those who created, performed, distributed or exhibited works of art contributed to the exchange of ideas and opinions and the state had the obligation not to encroach unduly on their freedom of expression. Given that the painting was a collage and used photos of only the heads of persons, and that their bodies were painted in an unrealistic and exaggerated manner, which obviously did not aim to reflect or even suggest reality, the ECtHR further stated that “the painting could hardly be understood to address details of [the depicted’s] private life, but rather related to his public standing as a politician” and that “in this capacity [the depicted] had to display a wider tolerance in respect of criticism”. Weighing the different interests at stake, the ECtHR found that the unlimited prohibition against further exhibiting the painting was disproportionate. The Court concluded that there had been a violation of Article 10 of the ECHR.

Several directives can be found in the EU legal order, aiming at the effective protection of intellectual property, in particular copyright. Intellectual property covers not only literary and artistic property but also patent, trademark and associated rights.

internet file-sharing platforms.

Directive on privacy and electronic communications (2002/58/EC), do not preclude Member States from laying down an obligation to disclose personal data in the context of civil proceedings, to ensure the effective protection of copyright.

Personal data Key points • Data are personal data if they relate to an identified or at least identifiable person, the data subject.

• A person is identifiable if additional information can be obtained without unreasonable effort, allowing the identification of the data subject.

• Data are anonymised if they no longer contain any identifiers; they are pseudonymised if the identifiers are encrypted.

Rights under the ECHR are guaranteed not only to natural persons but to everyone.

protection of natural persons; however, the contracting parties may extend data protection to legal persons, such as business companies and associations in their domestic law.

Under EU law as well as under CoE law, information contains data about a person if: • an individual is identified in this information; or • if an individual, while not identified, is described in this information in a way which makes it possible to find out who the data subject is by conducting further research.

Evidently identification requires elements which describe a person in such a way that he or she is distinguishable from all other persons and recognisable as an individual.

In exceptional cases, other identifiers can have a similar effect to a name. For instance, for public figures it may be enough to refer to the position of the person, such as President of the European Commission.

Date and place of birth are often used. In addition, personalised numbers have been introduced in some countries in order to better distinguish between citizens.

Biometric data, such as fingerprints, digital photos or iris scans, are becoming increasingly important to identifying persons in the technological age.

local authorities do not have a means of identification directly available to them, they will pass on the data to the competent authority, the police, who do have such means.

Authentication can be achieved by means of comparing biometric data, such as a photo or fingerprints in a passport, with the data of the person presenting himself or herself, for example, at immigration control; or by asking for information which should be known only to the person with a certain identity or authorisation, such as a personal identification number (PIN) or password; or by requiring the presentation of a certain token, which should be exclusively in the possession of the person with a certain identity or authorisation, such as a special chip card or key to a banking safe. Apart from passwords or chip cards, sometimes together with PINs, electronic signatures are an instrument especially capable of identifying and authenticating a person in electronic communications.

the term ‘private life’ must not be interpreted restrictively and that there is no reason of principle to justify excluding activities of a professional […] nature from the notion of private life”.

Written or spoken communications may contain personal data as well as images, 63 including closed-circuit television (CCTV) footage 64 or sound. 65 Electronically recorded information, as well as information on paper, may be personal data; even cell samples of human tissue may be personal data, as they record the DNA of a person.

On the definition of sensitive data, both Convention 108 (Article 6) and the Data Protection Directive (Article 8) name the following categories: • personal data revealing racial or ethnic origin; • personal data revealing political opinions, religious or other beliefs; and • personal data concerning health or sexual life.

‘trade union membership’ as sensitive data,

Data Protection Directive mandates EU Member States “to determine the conditions under which a national identification number or any other identifier of general application may be processed.”

Anonymised and pseudonymised data According to the principle of limited retention of data, contained in the Data Protection Directive

Data are anonymised if all identifying elements have been eliminated from a set of personal data. No element may be left in the information which could, by exercising reasonable effort, serve to re-identify the person(s) concerned.

appropriate safeguards against misuse

Pseudonymised data Personal information contains identifiers, such as a name, date of birth, sex and address. When personal information is pseudonymised, the identifiers are replaced by one pseudonym. Pseudonymisation is achieved, for instance, by encryption of the identifiers in personal data.

For everyone who is not in possession of the decryption key, pseudonymised data can be identifiable with difficulty. The link to an identity still exists in form of the pseudonym plus the decryption key.

For those who are entitled to use the decryption key re-identification is easily possible.

Use of encryption keys by unauthorised persons must be particularly guarded against.

“the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions or hobbies, constitutes the ‘processing of personal data wholly or partly by automatic means’

Whoever decides to process personal data of others is a ‘controller’ under data protection law; if several persons take this decision together, they may be ‘joint controllers’. • A ‘processor’ is a legally separate entity that processes personal data on behalf of a controller.

The most important consequence of being a controller or a processor is legal responsibility for complying with the respective obligations under data protection law.

Under EU law, private individuals, when processing data about others in the course of a purely personal or household activity, do not fall under the rules of the Data Protection Directive; they are not deemed to be controllers.

However, jurisprudence has found that data protection law will, nevertheless, apply when a private person, in the course of using the internet, publishes data about others.

A case involving the Society for Worldwide Interbank Financial Telecommunication (SWIFT) illustrates the Working Party’s position.

SWIFT disclosed such banking transaction data, stored in a computing service centre in the United States (US), to the US Treasury Department without being explicitly ordered to do so by the European banking institutions that employed it.

Made with the new Google Sites, an effortless way to create beautiful sites.